Thanks to colleague Jeff K for pointer to recent NESCOR reports.
First things first: in IBM and elsewhere the phrase "secure by design" is used to describe a project or a system where security requirements are considered at the earliest stages, right along with all the functional requirements.
Now for new initiates, WAMPAC = Wide Area Monitoring, Protection and Control, and the term refers to a group of new technologies and capabilities that will put the Smart in Smart Grid much more than the more attention grabbing Smart Meter.
This IEEE abstract does a better job defining WAMPAC than I could, so here you go:
Market driven grid management, increased number of renewable/distributed generation sources, complexities to address reactive support, and a progressively more stressed transmission network have increased the complexity of operation, monitoring, control and protection of large interconnected electric power systems considerably. Power-grid congestion issues and disturbances worldwide have emphasized the need to enhance power grids with WAMPAC systems as a cost-effective solution to improve grid planning, operation, maintenance, and energy trading. WAMPAC systems take advantage of the latest advances in sensing, communication, computing, visualization, and algorithmic techniques.Sounds like one could become rather dependent on systems like this, no? So you would want to ensure that the P in WAMPAC includes protection of the system itself so the system can do its job helping to protect the grid. Alas, it seems, that's not how it's gone down so far.
Please allow me to pause for a brief, somewhat alarmist thought. Let your mind wander for a moment and imagine the importance of data integrity in such a system, and what could befall large chunks of the grid should the data that drives WAMPACs be modified surreptitiously by an uninvited 3rd party.
From the most recent draft of the Annabelle Lee and EPRI-led security review of WAMPAC initiatives underway, we get the following findings up front:
- Several WAMPAC standards were developed on a fast track, and several new standards are either in the final approval or development stage. During this standards development organization (SDO) process, guidelines for a consistent approach to cyber security requirements across the standards were not developed
- Most of the WAMPAC standards do not mention any cyber security requirements. Some that do mention cyber security but at a very generic level, suggesting that such issues should be addressed by separate standards focused on cyber security.
Long suffering security pro's will hardly be surprised by the lack of inclusion of security requirements, even for projects as important as WAMPAC. Others may be be surprised. Whichever camp you fall in, you can read the full report HERE. Lots of good recommendations included, though you can't help but wish we weren't in bolt-on security mode again.
Photo credit: ISO New England